Private companies running much of the nation's critical infrastructure from oil production and the electric grid to manufacturing facilities and water treatment plants know of the potential damage from cyberattacks. However, the reason warnings keep coming from government officials is because not enough is being done in the way of defense.
"There's nothing necessarily new," Weiss said."The issue more than anything is people still aren't doing an adequate job of protecting themselves."
The Aramco attack failed because the company had one network for its administrative offices and a separate one for its production facilities. While this is considered a best practice, the deployment and maintenance costs are much too high for most companies. Therefore, the alternative is tight access controls.
"Not just firewalls, but controlling the systems that canmake these changes and doing that from one point," said Ron Gula, chief executive of Tenable Network Security who worked for the National Security Agency (NSA).
For some companies, a cultural change may be necessary to shore up defenses. Rather than have facility workers and security professionals working separately, the two should collaborate on locking down industrial systems.
"These are cultural challenges where IT and engineering have historically always been separated," said Rick Holland, an analyst with Forrester Research. "This must change, and although many organizations are aware of this, the pace of change is glacial."
Sign up for Computerworld eNewsletters.